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1 KEY AGREEMENT AND TRANSPORT PROTOCOL 

2 This application is a continuation-in-part of United States Application 

3 No. 98/426,090. 

4 The present invention relates to key agreement protocols for transfer and 

5 authentication of encryption keys. 

6 To retain privacy during the exchange of information it is well known 

7 to encrypt data using a key. The key must be chosen so that the correspondents are 

e able to encrypt and decrypt messages but such that an interceptor cannot determine the 

9 contents of flie message. 

10 In a secret key cryptographic protocol, the correspondents share a 

11 common key that is secret to them. This requires the key to be agreed upon between 

12 the correspondents and for provision to be made to maintain the secrecy of the key 

13 and provide for change of the key should the underlying security be compromised. 

14 Public key cryptographic protocols were first proposed in 1976 by 

15 Dif&e-Hellman and utilized a public key made available to all potential 

16 correspondents and a private key known only to the intended recipient. The public 

17 and private keys are related such that a message encrypted with the public key of a 

18 recipient can be readily decrypted with the private key but the private key carmot be 

19 derived from the knowledge of the plaintext, ciphertext and public key. 

20 Key establishment is the process by which two (or more) parties 

2 1 establish a shared secret key, called the session key. The session key is subsequently 

22 used to achieve some cryptographic goal, such as privacy. There are two kinds of key 
2 3 agreement protocol; key transport protocols in which a key is created by one party and 
24 securely transmitted to the second party; and key agreement protocols, in which both 

2 5 parties contribute information which jointly establish the shared secret key. The 

2 6 number of message exchanges required between the parties is called the number of 

27 passes. A key establishment protocol is said to provide implicit key authentication (or 

2 8 simply key authentication) if one party is assured that no other party aside from a 

2 9 specially identified second party may leam the value of the session key. The property 

3 0 of implicit key authentication does not necessarily mean that the second party actually 
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1 possesses the session key. A key establishment protocol is said to provide key 

2 confirmation if one party is assured that a specially identified second party actually 

3 has possession of a particular session key. If the authentication is provided to both 

4 parties involved in the protocol, then the key authentication is said to be mutual if 

5 provided to only one party, the authentication is said to be unilateral. 

6 There are various prior proposals which claim to provide implicit key 

7 authentication. 

B Examples include the Nyberg-Rueppel one-pass protocol and the 

9 Matsumoto-Takashima-Imai (MTI) and the Goss and Yacobi two-pass protocols for 
10 key agreement. 

IX The prior proposals ensure that transmissions between correspondents 

12 to establish a common key are secure and that an interloper cannot retrieve the session 

13 key and decrypt the ciphertext. In this way security for sensitive transactions such as 

14 transfer of funds is provided. 

15 For example, the MTI/AO key agreement protocol establishes a shared 

16 secret K, known to the two correspondents, in the following manner: - 

17 1. During initial, one-time setup, key generation and publication is 

IB undertaken^by sitting and pubhshing an appropriate system prime p and generator 

19 in a manner guaranteeing authenticity. Correspondent A selects as a long-term private 

20 key a random integer "a",l!Sa<p-2, and computes a long-term public key za = mod 

21 p. B generates analogous keys b, zb. A and B have access to authenticated copies of 

22 each other's long-temi public key. 

23 2. The protocol requires the exchange of the following messages. 

24 A B: tt** mod p (1) 

25 A<-B:ayinodp(2) 

26 The values of x and y remain secure during such transmissions as it is 

27 impractical to determine the exponent even when the value of a and the 

28 exponentiation is known provided of course that p is chosen sufficiently large. 

29 3. To implement the protocol the following steps are performed each time 
3 0 a shared key is required. 
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1 (a) A chooses a random integer x,l<x^p-2, and sends B message 

2 (1) i.e. ct* mod p, 

3 (b) B chooses a random integer y,l:Sy<p-2, and sends A message 

4 (2) i.e. ot^ niod p. 

5 (c) A computes the key K = (<^^)^zb' mod p. 

6 (d) B computes the key K » ((^^fzA^ mod p. 

7 (e) Both share the key K - a^'^^y 
e 

9 In order to compute the key K, A must use his secret key a and the 



10 random integer X, both of which are known only to him. Similarly B must use her 

11 secret key b and random integer y to compute the session key K. Provided the secret 

12 keys a»b remain uncompromised, an interloper cannot generate a session key identical 

13 to the other correspondent. Accordingly, any ciphertext will not be decipherable by 

14 both correspondents. 

15 As such this and related protocols have been considered satisfactory for 

16 key establishment and resistant to conventional eavesdropping or man-in*the-middle 

17 attacks. 

18 In some circumstances it may be advantageous for an adversary to 

19 mislead one correspondent as to the true identity of the other correspondent. 

20 In such an attack an active adversary or interloper E modifies messages 

2 1 exchanged between A and B, with the result that B believes that he shares a key K 

22 with E while A believes that she shares the same key K with B. Even though E does 

23 not learn the value of K the misinformation as to the identity of the correspondents 

24 may be useful. 

25 A practical scenario where such an attack may be launched 

26 successfully is the following. Suppose that B is a bank branch and A is an account 

27 holder. Certificates are issued by the bank headquarters and within the certificate is 

28 the account information of tiie holder. Suppose that the protocol for electronic deposit 

2 9 of funds is to exchange a key with a bank branch via a mutually authenticated key 

3 0 agreement. Once B has authenticated the transmitting entity, encrypted funds are 
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1 deposited to the account number in the certificate. If no further authentication is done 

2 in the encrypted deposit message (which might be the case to save bandwidth) then 

3 the deposit will be made to E*s account. 

4 It is therefore an object of the present invention to provide a protocol in 

5 which the above disadvantages are obviated or mitigated. 

C According therefore to the present invention there is provided a method 

7 of authenticating a pair of correspondents A3 to permit exchange of information 

8 therebetween, each of said correspondents having a respective private key a,b and a 

9 public key pa,Pb derived from a generator a and respective ones of said private keys 

10 a,b, said method including the steps of 

11 i) a first of said correspondents A selecting a first random integer x and 

12 exponentiating a ftmction f(a) including said generator to a power g^''^ to provide a 

13 first exponentiated function £(0)8^"^; 

14 ii) said first correspondent A forwarding to a second correspondent B a message 

15 including said first exponentiated fimction f(a)8^*^; 

16 iii) said correspondent B selecting a second random integer y and exponentiating a 

17 function f (a) including said generator to a power g^^ to provide a second 

18 exponentiated function f (a)*^^; 

19 iv) said second correspondent B constructing a session key K firom information 

20 made public by said first correspondent A and information that is private to said 

21 second correspondent B, said session key also being constructible by said first 

22 correspondent A for information made public by B and information that is private to 

23 said first correspondent A; 

24 v) said second correspondent B generating a value h of a function F[5 JKL] 

25 where F(8,K] denotes a cryptographic function applied conjointly to 6 and K and 

26 where 6 is a subset of the public information provided by B thereby to bind the values 

27 of 5 and K; 

28 vi) said second of said correspondents B forwarding a message to said first 

29 correspondent A including said second exponential function f (a)^^^^ and said value h 

30 of said cryptographic fimction F[6^]; 
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1 vii) said first correspondent receiving said message and computing a session key 

2 K' from information made public by said second correspondent B and private to said 

3 first correspondent A; 

4 viii) said first correspondent A computing a value h' of a cryptographic function 

5 h,WF[ajC'];and 

6 ix) comparing said values obtained from said cryptographic fimctions F to 

7 confirm their correspondence. 

8 As the session key K can only be generated using information that is 

9 private to eitiier A or B, the binding of K with 6 with the cryptographic function h 

10 prevents E from extracting K or interjecting a new value Amotion that will correspond 
XI to that obtained by A. 

12 Embodiments of the invention will now be described by way of 

13 example only with reference to the accompanying drawings in which. 

14 Figure I is a schematic representation of a data communication system. 

15 Figures 2 through 7 are schematic representations of implementations 

16 of difiTerent protocols. 

1 7 Referring therefore to Figure 1 , a pair of correspondents, 1 0. 1 2, 

1 8 denoted as correspondent A and correspondent B, exchange information over a 

19 communication channel 14. A cryptographic unit 16,18 is interposed between each of 

20 the correspondents 10,12 and the channel 14. A key 20 is associated with each of the 

21 cryptographic units 16,18 to convert plaintext carried between each unit 16,18 and its 

22 respective correspondent 10,12 into ciphertext carried on the channel 14. 

23 In operation, a message generated by correspondent A, 10, is encrypted 

24 by the unit 16 with the key 20 and transmitted as ciphertext over chamiel 14 to the 

25 unit 18. 

2 6 The key 20 operates upon the ciphertext in the unit 1 8 to generate a 

27 plaintext message for the correspondent B, 12. Provided the keys 20 correspond, the 
2 8 message received by the correspondent 12 will be that sent by the correspondent 10. 

29 In order for the system shown in Figure 1 to operate it is necessary for 

30 the keys 20 to be identical and therefore a key agreement protocol is established that 

5 
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1 allows the transfer of information in a public manner to establish the identical keys. A 

2 number of protocols are available for such key generation and embodiments of the 

3 present invention will be described below in the context of modifications of existing 

4 protocols. 

5 A commonly used set of protocols are collectively known as the 

6 Matsumoto-Takashima-Imai or "MTF* key agreement protocols, and are variants of 

7 the DifGe-Hellman key exchange. Their purpose is for parties A and B to establish a 

8 secret session key K. 

9 The system parameters for these protocols are a prime number p and a 

10 generator a ofthe multiplicative group 

11 . Correspondent A has private key a and public key Pa Correspondent B has 

12 private key b and public key pe = ct*'. In all four protocols exemplified below, textA 

13 refers to a string of information that identifies party A, If the other correspondent B 

14 possesses an authentic copy of correspondent A's public key, then textA will contain 

15 A's public-key certificate, issued by a trusted center; correspondent B can use his 

16 authentic copy ofthe trusted center*s public key to verify correspondent A's certificate, 

17 hence obtaining an authentic copy of correspondent A's public key. 

18 In each example below it is assumed that an interloper E wishes to 

19 have messages fi-om A identified as having originated fix)m E herself. To accomplish 

20 this, E selects a random integer e, lse^-2, computes pn^ipAf'^^^^ mod p, and gets 

21 this certified as her public key. E does not know the exponent ae, although she knows 

22 e. By substituting textE for textA^ the correspondent B will assume that the message 

23 originates from E rather than A and use Fs public key to generate the session key K. 

24 £ also intercepts the message from B and uses his secret random integer e to modify 

25 its contents. A will then use that information to generate the same session key 
2 G allowing A to communicate with B. 

2 7 The present invention is exemplified by modifications to 4 of the 

28 family of MTI protocols which foil this new attack thereby achieving the desired 

29 property of mutual implicit authentication. In the modified protocols exemplified 

30 below F(X,Y) denotes a cryptographic function applied to a string derived from x and 
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1 y. Typically and as exemplified a hash function, such as the NIST "Secure Hash 

2 Algorithm"(SHA-l), is applied to the string obtained by concatenating X and Y but it 

3 will be understood that other cryptographic functions may be used. 

4 Example 1 - MTI/AO protocol 

5 The existing protocol operates as foUows:- 

6 1 . Correspondent A generates a random integer 

7 X, l<x<p-2, computes a'', and sends {a*,textA} to party B. 
e 2. Correspondent B generates a random integer 

9 y, l^^p-2, computes a^, and sends {a^texts} to party A, 

10 3. Correspondent A computes K = (p^fipsT « a*'^''\ 

11 4. Correspondent B computes K = (hYCPa)^ = a^^*"*. 

12 

13 A common key K is thus obtained. However, with this arrangement, 

14 interloper E may have messages generated by conrespondent A identified as having 

15 originated fi^om E in the following manner. 

16 1 . E intercepts A's message {a*,textA} and replaces it with {a'^^textE} . 

17 The provision of the message texte identifies the message as having originated at E. 

18 2. B sends {ot^texts} to E, who then forwards {(a^^.texts} to A. Since A 

19 receives texts, he assumes the message originates at B and, as he does not know the 

20 value of y, assumes that is valid information. 

21 3. A computes K = (a^TCpe)' = a*"^^*- 

22 4, B computes K = (P^fipzY « 

23 5. A and B now share the key K, even though B believes he shares a key 

24 withE, 

25 

26 Accordingly any further transactions from A to B will be considered by 

27 B to have originated at E. B will act accordingly crediting instruction to E. Even 

28 though the interloper E does not leam the value of the session key K nevertheless the 
2 9 assumption that the message originates at E may be valuable and achieve the desired 
30 effect. 
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1 To avoid this problem, the protocol is modified as foilows:- 

2 LA generates a random integer x,l^^-2. computes a% and sends 

3 {a*,textA> to party B. 

4 2. B generates a random integer y,l^y<p-2, and computes a^, K 

5 «(t*')^(pAf ^a*^***, and a value h of cryptographic hash fimction Fio?,a^^^'') which is a 

6 function of public information 6 and the key K. B sends {a^,h,textB} to party A. 

7 3. A computes K « (aYCpB/ = A also computes a value h' of 

8 cryptographic hash function ¥(o.^,K) and verifies that this value is equal to h. 

9 

10 If E attempts to interpose her identification, texts, the attack fails on 

11 the modified protocols because in each case B sends the hash value F(6,K), where 5 is 

12 B's random exponential, a^, thereby binding together the values of Sand K. E cannot 

13 subsequently replace the value of 5 with 6^ and compute F(8*,K) since E does not 

14 know BL Even though E knows ct^, this is not sufficient to extract K from the hash 

15 value h. Accordingly, even if E interposes the value so that the keys 20 will agree, 

16 the values h,h* will not. 

17 

18 Example 2 - MTI/BO protocol 

19 In this protocol, 

20 1 . A generates a random integer x,l^<p-2, computes (pa)* = ct^'', and 

2 1 sends {a^*,textA} to party B. 

22 2. B generates a random integer y, 1 sy^-2, computes (paY = and 

23 sends {a*^,textB} to party A. 

24 3. A computes K= ( a"" a' a""^"" 

25 4. B computes K= (a^^ /' a' ^ a'^' 

26 

27 This protocol is vulnerable to the interloper E if, 

2 8 1 . E replaces As message {a*'\textA} with {a^^'^.texts} to identify herself 
29 as the originator to the message. 

3 0 2. B sends {(pB)^,textB> to E, who then computes 

6 
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1 ((Ps/f and fonvards {a''y,tcxtB> to A. 

2 3. A computes K= Ca^^/ 'a^« a'*^ 

3 4. B computes K= (a"^ f a" ^a'""" 

4 5. A and B now share the key K, even though B believes he shares a key 

5 withE. 

7 This protocol may be modified to resist E*s attack as follows. 

a 1 . A generates a random integer x,l^<p-2, computes (pa)'' <*^^, and 

9 sends {a^*,textA} to party B. 

10 2, B generates a random integer y, lsx<p-2, and computes (pa/ - 

11 K«(tt*"') ^'=<^^ , and the value h of hash function B 

12 sends {a*^,h,textB) to A. 

13 3. A computes K=»(a*^) a*=a*^y. A also computes the value h* of hash 

14 function F K) and verifies that this value is equal to h. 

15 Once again, E cannot determine the session key K and so cannot 

16 generate a new value of the hash function to maintain the deception. 

17 Example 3 - MTI/CO protocol 

la This protocol operates as follows:- 

19 1 . A generates a random integer x, l^<p-2, computes (pa)* « and 

20 sends {«l'*^textA} to party B. 

21 2 . B generates a random integer y , 1 ^y<p-2, computes (p a)^ - <**^ and 

22 sends {a^^texta} to party A. 

23 3, A computes K«=» ('^''^/ ''^a^ 

24 4. B computes K= (a^"" ^^a"^ 

25 

26 The interloper E may interpose her identity as follows:- 

27 1 . E replaces As message {a'^'^^textA} with {a^'',textE} . 

28 2. B sends {(pE)^textB} to E, who then computes ((pe)^)*'^ = ^""^ and 

29 forwards {a'^^.texta) to A. 
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1 3. A computes K« ra"^/'' = a'^ 

2 4. B computes K= (a'^f'^a'^ 

3 5. A and B now share the key K, even though B believes he shares a key 

4 withE. 

5 

6 To avoid this attack protocol is modiiied as follows;- 

7 1. A generates a random integer x,l<x^-2, computes (pa)'' and 

8 sends {a^^textA} to party B, 

9 2. B generates a random integer y, 1 <y<p-2, and computes 

10 (pa)^ = K = (a'^f' = , and value 

11 h of hash function F(a*y.a''y). B sends {a'^^h.texta} to party A, 

12 3. A competes .K = ( a"^^) = a''^ A also computes the value h* of 

13 F(a*^,K) and verifies that this value is equal to h. 



10 
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1 Example 4 - MTI/Cl protocol 

2 In this protocol:- 



3 LA generates a random integer x. l^x<p-2, computes (pb)** = \ and 

4 sends {ct■'*^textA} to party B. 

5 2. B generates a random integer y, computes (jpxt^ = ct*^^, and 
€ sends {a'*y,textB} to party A. 

7 3. A computes K = (a*^Y = 01^'''^. 

6 4. B computes K = (a^^^Y « a***''^ 



9 

10 E can act as an interloper as follows: 



11 1 . E replaces As message {a**'\textA} with {a'*'',textE} - 

12 2. B sends {(pE)''^textB> to E, who then computes ((pe)^ = ^""'^ 

13 forwards {a**^textB} to A. 

14 3. A computes K^Ca'^^y-a-^^^ 

15 4. B computes K « (a^^'Y - a'^'^y 

16 5. A and B now share the key K, even though B believes he shares a key 

17 with E. 

18 

19 To avoid this, the protocol is modified as follows:- 

2 0 I . A generates a random integer x,l^x<p-2, computes (pb)"* = and 

21 sends {a***\textA} to party B. 

22 2. B generates a random integer y. 1 ^<p-2, and computes (pa)^^ - <***'^ K 

23 =(a«»>Y = a^^''y,and 

24 h - F(a'^^ot*'>'^). B sends {a*^y,h.textB} to party A. 

25 3. A computes K«(a***Y = *=^*^'^- A also computes 

26 h' = F(a"*'^K) and verifies that this value is equal to h. 

27 

28 In each of the modified protocols discussed above, key confirmation 

2 9 from B to A is provided. 

30 As noted above instead of F being a cryptographic hash function other 

11 
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1 functions could be used. For example, an option available is to choose 

2 F » eK, where e is the encryption function of a suitable symmetric^key encryption 

3 scheme, and K is the session key established. Because E cannot generate the session 

4 key K, it is similarly not able to generate the value of the function F and therefore 

5 cannot interpose for the correspondent A. 

6 The technique described above can be applied to other similar key 

7 exchange protocols, including all of the 3 infinite classes of MTI protocols called 
6 MTl-A(k),MTI-B(k)andMTl-C(k). 

9 The Goss authenticated key exchange protocol is similar to the 

10 MTI/AO protocol, except that the session key is the bitwise exclusive-OR of and 

11 o*""; that is K = © a^* instead of being the product of ot*^ and a*'*'. Hence the attack 

12 on the MTI/AO protocol and its modification can be extended in a straightforward 

13 manner to the case of the Goss protocol. 

14 Similarly Yacobi's authenticated key exchange protocol is exactly the 

15 same as the MTI/AO protocol, except that a is an elemeniiof^e group of units 

1 6 ^ where n is the product of 2 large primes. Again, the attack on the MTI/AO 

17 protocol and its modification can be extended in a straightforward manner to the case 

18 of the Goss protocol. 

19 A further way of foiling the intetposition of E is to require that each 

2 0 entity prove to a trusted center that it knows the exponent of a that produces its public 

21 key P, before the center issues a certificate for the public key. Because E only knows 

22 "e" and not "ae" it would not meet this requirement. This can be achieved through 

2 3 zero knowledge techniques to protect the secrecy of the private keys but also requires 

24 the availability of a trusted centre which may not be convenient. 

25 Each of the above examples has been described with a 2 pass protocol 

26 for key authentication. One pass protocols also exist to establish a key between 
2 7 correspondents and may be similarly vulnerable. 

28 As an example the Nyberg-Rueppel one pass key agreement protocol 

2 9 will be described and a modification proposed. 

3 0 The purpose of this protocol is for party A and party B to agree upon a 
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1 secret session key K. 

2 The system parameters for these protocols are a prime number p and a 

3 generator a of the multiplicative group OCS Z p . User A has private key a and public 

4 key Pa User B has private key b and public key ps = 

5 1 . A selects random integers x and t, l^,t^-2, 

6 2. B recovers the value mod p by computing ct* (p^y mod p and then 

7 computes the shared session key K=<r ax) = mod p. 

8 

9 If interloper E wishes to have messages from A identified as having 

10 originated from herself* E selects a random integer e, lSe<p-2, computes pE and 

IX gets this certified as her public key. 

12 1 . E intercepts A*s message {r,s,textA} and computes a* = ^^(paY and a**' 

13 =ra\ 

_y 

14 2. E then selects a random integer x', l<x*<p*2, computes r -abt a 

15 mod p and s'=x -r'e mod (p-1). 

16 3. E sends {r',s',textE} to B. 

17 4, B recovers the value mod p by computing ct' (ptf mod p and then 

18 computes K'^ (r' a'' ) = a' mod p. 

19 5 . A and B now share the key even though B beUeves he shares a key 

20 withE. 

21 

22 To foil such an attack the protocol is modified by requiring A to also 

2 3 transmit a value h of F(pA,K), where F is a hash function, an encryption fiinction of a 

24 symmetric-key system with key K or other suitable cryptographic function. The 

25 modified protocol is the following. 

26 L A selects random integers x and t, 1 <x,t<p-2. 

27 2. A computes r = (pb)*<^''' mod p, s = x - ra mod 

28 (p~ 1 )» session key K - ct' mod p and the value h of hash function 

29 F(pA,K), A sends {r,s,h.textA} to B. 

13 
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1 3. B recovers the value o.^ mod p by computing ^'(pa/ mod p and then 

2 computes the shared session key K=(ra'') = a' rnod p. B also 

3 computes the value h* of function F(pA,K) and verifies that this value is 

4 equal to h. 

5 Again therefore by binding together the public information and the 

6 session key K in the hash function, the interposition of E will not result in identical 

7 hash functions h,h\ 

e In each case it can be seen that a relatively simple modification to the 

9 protocols involving the binding of public and private information in a cryptographic 

10 function foils the interposition of interloper E. 

11 All the protocols discussed above have been described in the setting of 



12 the multiplicative group ^ p . However, they can all be easily modified to work in 

13 any finite group in which the discrete logarithm problem spears intractable. Suitable 

14 choices include the multiplicative group of a finite field (in particular the finite field 

15 GF(2"), subgroups of ote of order q, and the group of points on an elliptic curve 
le defined over a finite field. In each case an appropriate generator a will be used to 

17 define the public keys, 

18 The protocols discussed above can also be modified in a 

19 straightforward way to handle the situation when-each user picks their own system 

20 parameters p and a (or analogous parameters if a group other than Z ^ is used). 

2 1 Further implementations are shown schematically in figures 2 through 7. A 

22 different notation is utilized but it will be understood that fhis notation may be 
2 3 mapped to that of the previous embodiments. 

24 

2 5 Referring to figure 2, a mutual public key authenticated key agreement protocol is 

26 complemented between a correspondent A shown on the left hand side of the figure 

27 and a correspondent B shown on the right hand side. Correspondent A has a public- 

2 e private key pair Pa,Sa respectively and similarly correspondent B has a public private 
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1 Key pair Pb,Sb. 

2 

3 As a first step, correspondent A generates a session private key as a random number 

4 RNDa and computes a corresponding public session key Ga "^Fa (RNDa). The 

5 function Fa is a cryptographic one way function, typically an exponention by the 

6 group generator, such as a point multiplication in an elliptic curve cryptosystem. 
7 

a The public session key Ga is forwarded to correspondent B who generates 
9 corresponding parameters of a session private key RNDb and the exponent Gb. 

10 

11 The correspondent B computes a session key K as a function of A's public 

12 infomiation Ga,Pa AND B's private information RNDstSa. A corresponding key K' 

13 can be computed by A using the private information of A and the public information 

14 of B namely f(RNDA,GB,SAjPB). 

15 

16 After correspondent B has generated the key K, he compiles a string (GA/ZGe/ZIdA) 

17 where Wa is a string that identifies A. The concatenated string is hashed with a 

18 cryptographic function hk which is a keyed hash function that uses the key K to yield a 

19 string Ao^Ab. 

20 

21 The string hashB is forwarded to correspondent A together with Wa and Gb. 

22 

23 Upon receipt of the message from B, correspondent A computes the key K' as 

24 described above. Correspondent A also computes a hash, hashverifys from the string 

2 s (Gs/ZGA/ZIdA) using the hash function keyed by the key K\ correspondent A checks 
2 6 that the hashes verify to confirm the identity of the keys KJC' . 

27 

28 Correspondent A then computes a hash housing the key K on the string (GA//GB//IdB) 

2 9 and forwards that together with Mb correspondent B. Correspondent B similarly 

3 0 computes a hashverifyA using the keyed hash function hK on the same string and 

15 
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1 verifies that hasftA -hashveriJyA- 

2 

3 A similar protocol is shown in figure 3 to implement a mutual symmetric key 

4 authentication protocol. In this protocol the correspondents share a key K obtained 

s over a secure channel. The correspondents A.B, each generate a random integer which 

6 is used as the session public key of A and B respectively. Thereafter the exchange of 

7 information and verification proceeds as above with respect to figure 2 with the 
6 shared secret key being utilised in the keyed hash fimctions, 

9 

10 A fiill mutual public key authenticated protocol is shown in figure 4. An initial 

11 exchange of the puWic keys PaJ^b is performed over an authenticated channel 

12 followed by the exchange of information as shown in the protocol of figure 4. In this 

13 case the correspondent A sends Ga computed as described above with respect to 

14 figure 2, together with a string xi that A wants confirmation of receipt by B. 

15 Correspondent B computes the key K as in figure 2 and also generates a pair of strings 

16 yuya which B wants to have authenticated by A and receipt confirmed by A 

17 respectively. The strings are sent to A with the hash hash$ and identity IdA.-The hash 

18 hasha is performed on a string including the message X2 and the string yi wants 

19 authenticated. 

20 

21 Correspondent A computes the key K and verifies the hash as before. This also 

22 confirms receipt of X2 by B. 

23 

24 Correspondent A in turn generates strings zi.Zi where zi is a string that A wants 

25 authenticated by B and zz is a string that may be used in a subsequent stage of the 

26 protocol described below. The strings, zi and yz together with the identifying 

2 7 information of B, Ida, are included in the string that is hashed with the key K to 

2 8 provide the string hashA. this is sent together with the identitiy of B and the strings 

2 9 zuZ2 to the correspondent B who can verify the hashes as before, thereby confirming 

3 0 receipt of yz and authenticating z\ . 
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1 

2 Thus the exchange of information is exchanged in an authenticated manner and a 

3 common key obtained that allows subsequent exchange of correspondence on a secure 

4 channel. 

5 

6 With the protocol described in figure 4 it is possible to implement a mutual public key 

7 authenticated key agreement protocol by letting the strings X2,yi,y2,zi,Z2 all be empty 

8 strings. Alternatively, a mutual public key authenticated key agreement protocol with 

9 key transport can be implemented by using X2 as a string that is assumed to represent 

10 EK(k). Correspondent B can compute the value of.K and hence retrieve the notional 

11 value of k from the string. He can use this as his CRP,. The values of yi may be used 

12 to represent E]c(k20 and zi as Ex(ki2) where k2i and kn are different keys for 

13 corrmiunication or other secret information to be shared between the correspondents. 

14 In this case yi and Z2 are empty strings. In this way there is a key agreement on a 

15 shared key Kab together with authenticated key transport of the keys kii and 

16 kubetween the correspondents. Moreover, if additional information is provided in the 

17 X2 and y2 then confirmation of proper receipt is also obtained. 

IB 

19 The protocol of figure 4 may also be used to increase efficiency in successive sessions 

20 by using the string zi to pass the information exchanged in the first pass of the next 

21 session. Thus as shown in figure S, the string Ga,X2 is sent as Z2 in the previous 

22 session. The protocol then proceeds firom correspondent B as before. Correspondent B 

23 may also take advantage of this facility by including the information GB^yi for the next 

24 session in the exchange as y2. 

25 

26 The mutual public key authenticated key agreement protocol may also be adapted for 

27 symmetric key implementations as shown in figure 6. In this case, as in figure 3 

2 8 above» the key generation is omitted as the correspondents have a shared key obtained 

29 over a secure chaimel. 

30 
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1 Similarly, the protocol of figure 6 may be modified as illustrated in figure 7 to take 

2 advantage of the exchange of information in a previous session, similar to that of 

3 figure 5. 

4 

5 It will be seen therefore that a number of versatile and flexible protocols can be 

6 developed fiom the general protocol to meet particular needs. These protocols may 

7 implement elliptic curve cryptography or operate in Zp as preferred. 

8 
9 
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